Fubo VPPA & CIPA Settlement: Why Sensitive Data Sharing Controls Are Needed

On July 1, 2025, ClaimDepot.com first announced that Fubo has agreed to pay $3.4M to settle a class action lawsuit for sharing personal data without consent that allegedly violated of Video Privacy Protection Act (VPPA), the California Invasion of Privacy Act (CIPA), and California Civil Code § 1799.3.

With the class action complaint focusing on Fubo’s violation of VPPA, this marks at least 10 VPPA settlements of over $1M since 2023.

The US federal VPPA law prohibits the disclosure of consumers’ video rental history containing personally identifiable information (PII) without explicit consumer consent.

Fubo is a leading paid video streaming service in the US, and they are now the fourth major streaming service to be sued for violating VPPA since 2024, following Viki, Roku, and Tubi. While most VPPA lawsuits are not made public, it is estimated that over 250 VPPA class actions were filed in 2024, compared to 137 in 2023.

The class action complaint focuses on Fubo’s use of digital tracking technologies (e.g., pixels, cookies) on Fubo’s web streaming service that share personally identifiable information (PII) and video viewing history with advertising and analytics third parties. The complaint also calls out digital tracking used on mobile devices and other devices such as connected TV.

To protect against these privacy risks, privacy teams should continuously monitor how personal data is processed and consent is collected across all their digital products, including websites, mobile apps, and connected TV apps. We call this practice product privacy management. Privado.ai offers the complete product privacy management solution for data visibility and privacy governance across web, app, and backend software products. 

Allegation Summary

In the settlement agreement, the plaintiffs alleges that Fubo violates the following three laws by sharing users’ PII and video viewing history with third parties for the purposes of delivering personalized advertising without properly collecting consent. 

• Video Privacy Protection Act (VPPA)
• California Civil Code § 1799.3
• California Invasion of Privacy Act (CIPA)

The class action complaint states “while creating their accounts, subscribers are not specifically asked to consent to [Fubo] sharing and disclosing their PII to third parties, including information which identifies them as having viewed specific video content.”

Video Privacy Protection Act (VPPA)

Legal Requirement

This US federal law prohibits the disclosure of consumers’ video rental history containing personally identifiable information (PII) without explicit consumer consent.

Violators are liable for up to $2,500 in damages per person whose data was shared illegally. 

Significance

• VPPA requires explicit consent before sharing consumers’ video viewing history, similar to how the FTC (Federal Trade Commission) treats sensitive health, financial, or location data.
• Although originally designed to limit the sharing of VHS tape rental history, the courts now apply this law to any digital video service, including on web, mobile app, and connected TV. 
• VPPA allows for the private right to action and government enforcement. This means that in addition to government regulators, anyone like the individual in the Fubo case can file a class action lawsuit against companies that violate VPPA. In Roku’s case, the Michigan Attorney General filed a lawsuit on behalf of the public.  
• Fubo had 1.6M US subscribers when the lawsuit was filed in 2023. Using the $2,500 per violation requested in the complaint would mean a penalty of up to $4B if Fubo had not settled. 
• VPPA is the primary cause of this lawsuit and at least 10 others since 2023 that have resulted in settlements of over $1M.

California Civil Code § 1799.3

Legal Requirement

Similar to VPPA, this California state law prohibits video recording sales or rental services shall disclose any personal information or the contents of any record, including sales or rental information, which is prepared or maintained by that person, to any person, other than the individual who is the subject of the record, without the written consent of that individual.

Violators are liable for up to $500 in damages per violation.

Significance

• The plaintiffs utilized this state video privacy law to increase the settlement amount.
• Claim members located in California can claim 10% more than the standard payment all other claimants will receive.

California Invasion of Privacy Act (CIPA)

Legal Requirement

This California state law prohibits recording or intercepting communications without explicit user consent. Enacted in 1967, it specifically refers to wiretapping or listening devices but has recently been used to sue for unlawful digital tracking on websites and apps. 

Violators are liable for up to $2,500 in damages per violation. 

Significance

• Similar to the previous California state law referenced, the plaintiffs utilized CIPA to increase the settlement amount.
• Since 2022, there has been a massive uptick in CIPA lawsuits. Law firm Fisher Phillips estimates over 5,000 companies have been sued or received CIPA demand letters.
• With most CIPA cases settled confidentially, this Healthline settlement represents one of the largest CIPA-related settlements announced publicly.  

Key Takeaways

• With Fubo and Roku facing VPPA enforcement in the past 3 months, all video streaming companies in the US should be vigilant about potential VPPA lawsuits. VPPA is a federal law with a privacy right to action, meaning any individual can bring a lawsuit.
• Video streaming companies need privacy risk monitoring solutions for their websites, mobile apps, and connected TV apps to continually ensure all data shared is compliant.
• Any company potentially sharing other sensitive personal data (health, financial, or location data) also needs to continually monitor privacy risk across websites, apps, and backend software to prevent legal action.

How Privado.ai mitigates privacy risk across digital products 

• Web Auditor: Scan your websites to ensure consent banners, pixels, and data flows are compliant with each regulation in each location. No technical implementation required.
• App Auditor: Scan app files to ensure consent banners, SDKs, and data flows are compliant with each regulation in each location. No technical implementation required.‍
• Privacy Code Scanning: Obtain real-time visibility and governance for how personal data is collected, used, shared, and stored by continuously scanning the code that runs your web, app, and backend software products.